Rust: Handle Deref trait in type inference and data flow

[hvitved]

This PR adds general support for the Deref trait when resolving method calls, which means both supporting it when actually resolving method calls in the type inference library, but also inserting the implicit deref calls in data flow.

As usual, commit-by-commit review is encouraged.

Type inference

When resolving method calls, a set of candidate receiver types are constructed by repeatedly dereferencing the receiver using applicable Deref implementations. Before this PR, we had limited support, namely &(mut) T -> T and String -> str. In order to handle arbitrary chains of dereferences, we introduce a new class DerefChain, based on the shared UnboundList library, which records the chain of deref calls needed to resolve a method call.

After having resolved a method call, type information may also have to flow backwards through the chain of dereferences. Example:

use std::ops::Deref;
use std::ops::DerefMut;

struct S<T>(T);

impl<T> Deref for S<T> {
    type Target = T;

    fn deref(&self) -> &T {
        &self.0
    }
}

impl<T> DerefMut for S<T> {
    fn deref_mut(&mut self) -> &mut T {
        &mut self.0
    }
}

fn f() {
    let v = Vec::new();
    let mut s = S(v);
    s.push(0); // resolves to `Vec::push`, forces `v` to be of type `Vec<i32>`
}

Support for this is implemented in the inferMethodCallTypeSelf predicate, where the DerefChain is applied in reverse order, peeling off the top element until the chain becomes empty.

Data flow

A method call x.m() with an implicit dereference desugars to (*Deref::deref(&x)).m(), so we need to add data flow nodes for &x, Deref::deref(&x), and *Deref::deref(&x), as well as the implicit call to Deref::deref. This means we will have a reference store-step from x to &x and a reference read-step from Deref::deref(&x) to *Deref::deref(&x).

The three different data flow nodes are represented by a state called ImplicitDerefNodeState, and since we need to support arbitrary dereference chains, each synthetic node is additionally tagged with a DerefChain as well as an index into that chain.

A small, but important, performance improvement is made when the targeted deref method is one of the two built-in implementations; in this case, we can add a local flow step directly from x to Deref::deref(&x), which avoids the need for inter-procedural flow.

Evaluation

The changes on this PR resolve a lot of MISSING test expectations. DCA looks really great: Percentage of calls with call target increases by 2 % point, and as a consequence, we gain quite a lot of new results, all without regressing on performance. I also conducted a very positive QA experiment, which confirms the increase in alerts, e.g. 10 % more cleartext-logging results, 25 % more log-injection results, and a staggering 100 % more path-injection results.

[Copilot]

Pull request overview

This PR adds comprehensive support for Rust's Deref trait in both type inference and data flow analysis. The implementation enables proper resolution of method calls through implicit dereference chains and inserts appropriate data flow nodes for such operations.

Key changes:

• Introduces DerefChain class to track chains of implicit dereferences during type inference
• Adds data flow support for implicit deref calls with synthetic nodes
• Resolves numerous test expectations that were previously marked as MISSING

Reviewed changes

Copilot reviewed 33 out of 33 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
shared/util/codeql/util/UnboundList.qll	Makes getElement public to support DerefChain implementation
shared/typeinference/codeql/typeinference/internal/TypeInference.qll	Adds performance optimizations with new predicates and pragma annotations
rust/ql/lib/codeql/rust/internal/typeinference/DerefChain.qll	New file implementing deref chain logic using UnboundList
Test expectation files	Updates reflecting improved type inference and data flow (resolving MISSING cases)
Test source files	Updates comments to reflect resolved test cases (removing MISSING markers)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.